AI Coding Agents Vulnerable to Sneaky Attacks via Malicious Configuration Files and Prompt Injections
June 28, 2026
Attack vectors now extend to project-specific configuration files (like CLAUDE.md, .cursorrules, AGENTS.md) that hide directives or Unicode characters guiding malicious actions, with even README files capable of steering exfiltration of environment variables and credentials.
In a demonstrated chain, a fragile Python package triggers Claude Code to execute an attacker-controlled shell script during an error-resolution step, yielding a reverse shell with the attacker’s privileges even though no malware sits in the repository.
The report warns against trusting unknown projects as safe code or relying on AI tools for security analysis; developers must scrutinize what will run and how, rather than following prompts blindly.
Vendors are patching specific vectors (such as Claude Code permission bypasses and GitHub Copilot injections) and issuing CVEs, while NIST classifies prompt injection as a major ongoing security flaw tied to AI agents’ core instruction-reading and action-taking roles.
A real-world test on June 3 with the Miasma supply-chain worm disabled 73 Microsoft/Azure repositories by deploying malicious npm packages; the payload activates when AI agents process affected repos, illustrating a configuration-injection-based risk.
The attack surface spans multiple coding agents beyond Claude, underscoring a broader risk for AI-assisted development environments and the need for stricter vetting of code and execution steps.
The exploit is stealthy because each step appears ordinary, and security tools may miss the activity; domain configuration and the reverse shell are disguised through legitimate-looking actions.
Another vulnerability class, called ‘Comment and Control,’ shows prompt injection via pull request titles, issues, and comments, where trusted context is manipulated to exfiltrate credentials or inject malicious code.
The attack chain unfolds in three steps: Claude clones a malicious repo, a deceptive readme prompts Python environment initialization, and a shell script downloads code and queries a DNS TXT record to fetch a base64 payload that opens a reverse shell.
Industry response includes security guidance plugins from Anthropic and advisories urging manual review of configuration files before using AI coding agents; overall, the “helpfulness” of AI agents expands the attack surface, necessitating vigilance and layered defenses.
Summary based on 2 sources
Get a daily email with more Tech stories
Sources

The Eastern Herald • Jun 28, 2026
How a Clean GitHub Repo Tricks Your AI Coding Agent Into Running Malware